Skip to content

Instantly share code, notes, and snippets.

@Asherslab
Last active December 10, 2021 04:15
Show Gist options
  • Save Asherslab/b80b2c58bd3581d25b8be9a9c1d838ac to your computer and use it in GitHub Desktop.
Save Asherslab/b80b2c58bd3581d25b8be9a9c1d838ac to your computer and use it in GitHub Desktop.
Log4J RCE in relation to Minecraft

Disclaimer

All information below is accurate to the best of our knowledge, however due to this being an ongoing issue please remain on the safe side of things and be cautious.

Our recommendation is to not connect to ANY servers or RUN any servers until mojang has made an official announcement regarding this issue

RCE Summary

LunaSec Article

TL;DR The RCE in question relates to the logging library Log4J, any message logged can access JNDI, via this classes can be injected into the java runtime, more details in the article above

Warning: The Article is highly technical, read the below if you do not understand it

How is Minecraft affected

The Above exploit was introduced in Log4J 2.0. All Minecraft versions 1.7 (and its Snapshots) and above contain this version

All versions above 1.7 and it's Snapshots are affected

Minecraft logs many things sent from clients via Log4j, the simplest and easist to exploit example of this would be Chat Messages

(User) What Can I Do

If you are on 1.17 or 1.18 and are using the official launcher and *are not using modded this will fix the issue (please keep an eye on that tweet in case there are updates)

If you are NOT on the official launcher, are using modded, or are on 1.16 or below:

Do not connect to any servers, there is simply nothing you can do until Mojang fixes the issue

Play Single Player.

(Server Owner) What Can I Do

If your server is on 1.17 or 1.18 you can add -Dlog4j2.formatMsgNoLookups=true to your user_jvm_args.txt file

Please read and understand the disclaimer at the top of this document before proceeding

If your server is on 1.16 or below Shut it down, there is nothing you can do about this issue until the relevant software are fixed by Mojang

Wait for a public announcement from Mojang or any follow up messages to this document.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment